richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
795 Commits
29 Branches
80 Tags
155 MiB
Tree: d548cb6ac2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd548cb6ac2'
${ noResults }
kubespray/docs/ha-mode.md

124 lines
4.8 KiB
Raw Normal View History

Add ha docs Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
Add HA/LB endpoints for kube-apiserver * Add HA docs for API server. * Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver vars and usecases. * Use facts for kube_apiserver to not repeat code and enable LB endpoints use. * Use /healthz check for the wait-for apiserver. * Use the single endpoint for kubelet instead of the list of apiservers * Specify kube_apiserver_count to for HA layout Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
8 years ago
  1. HA endpoints for K8s
  2. ====================
  4. The following components require a highly available endpoints:
  5. * etcd cluster,
  6. * kube-apiserver service instances.
  8. The former provides the
  9. [etcd-proxy](https://coreos.com/etcd/docs/latest/proxy.html) service to access
  10. the cluster members in HA fashion.
  12. The latter relies on a 3rd side reverse proxies, like Nginx or HAProxy, to
  13. achieve the same goal.
  15. Etcd
  16. ----
  18. Etcd proxies are deployed on each node in the `k8s-cluster` group. A proxy is
  19. a separate etcd process. It has a `localhost:2379` frontend and all of the etcd
  20. cluster members as backends. Note that the `access_ip` is used as the backend
  21. IP, if specified. Frontend endpoints cannot be accessed externally as they are
  22. bound to a localhost only.
  24. The `etcd_access_endpoint` fact provides an access pattern for clients. And the
  25. `etcd_multiaccess` (defaults to `false`) group var controlls that behavior.
  26. When enabled, it makes deployed components to access the etcd cluster members
  27. directly: `http://ip1:2379, http://ip2:2379,...`. This mode assumes the clients
  28. do a loadbalancing and handle HA for connections. Note, a pod definition of a
  29. flannel networking plugin always uses a single `--etcd-server` endpoint!
  32. Kube-apiserver
  33. --------------
  35. K8s components require a loadbalancer to access the apiservers via a reverse
  36. proxy. A kube-proxy does not support multiple apiservers for the time being so
  37. you will need to configure your own loadbalancer to achieve HA. Note that
  38. deploying a loadbalancer is up to a user and is not covered by ansible roles
  39. in Kargo. By default, it only configures a non-HA endpoint, which points to
  40. the `access_ip` or IP address of the first server node in the `kube-master`
  41. group. It can also configure clients to use endpoints for a given loadbalancer
  42. type.
  44. A loadbalancer (LB) may be an external or internal one. An external LB
  45. provides access for external clients, while the internal LB accepts client
  46. connections only to the localhost, similarly to the etcd-proxy HA endpoints.
  47. Given a frontend `VIP` address and `IP1, IP2` addresses of backends, here is
  48. an example configuration for a HAProxy service acting as an external LB:
  49. ```
  50. listen kubernetes-apiserver-https
  51. bind <VIP>:8383
  52. option ssl-hello-chk
  53. mode tcp
  54. timeout client 3h
  55. timeout server 3h
  56. server master1 <IP1>:443
  57. server master2 <IP2>:443
  58. balance roundrobin
  59. ```
  61. And the corresponding example global vars config:
  62. ```
  63. apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
  64. loadbalancer_apiserver:
  65. address: <VIP>
  66. port: 8383
  67. ```
  69. This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
  70. into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
  71. the HAProxy service should as well be HA and requires a VIP management, which
  72. is out of scope of this doc.
  74. The internal LB may be the case if you do not want to operate a VIP management
  75. HA stack and require no external and no secure access to the K8s API. The group
  76. var `loadbalancer_apiserver_localhost` (defaults to `false`) controls that
  77. deployment layout. When enabled, it is expected each node in the `k8s-cluster`
  78. group to run a loadbalancer that listens the localhost frontend and has all
  79. of the apiservers as backends. Here is an example configuration for a HAProxy
  80. service acting as an internal LB:
  82. ```
  83. listen kubernetes-apiserver-http
  84. bind localhost:8080
  85. mode tcp
  86. timeout client 3h
  87. timeout server 3h
  88. server master1 <IP1>:8080
  89. server master2 <IP2>:8080
  90. balance leastconn
  91. ```
  93. And the corresponding example global vars config:
  94. ```
  95. loadbalancer_apiserver_localhost: true
  96. ```
  98. This var overrides an external LB configuration, if any. Note that for this
  99. example, the `kubernetes-apiserver-http` endpoint has backends receiving
  100. unencrypted traffic, which may be a security issue when interconnecting
  101. different nodes, or may be not, if those belong to the isolated management
  102. network without external access.
  104. In order to achieve HA for HAProxy instances, those must be running on the
  105. each node in the `k8s-cluster` group as well, but require no VIP, thus
  106. no VIP management.
  108. Access endpoints are evaluated automagically, as the following:
  110. | Endpoint type | kube-master | non-master |
  111. |------------------------------|---------------|---------------------|
  112. | Local LB (overrides ext) | http://lc:p | http://lc:p |
  113. | External LB, no internal | https://lb:lp | https://lb:lp |
  114. | No ext/int LB (default) | http://lc:p | https://m[0].aip:sp |
  116. Where:
  117. * `m[0]` - the first node in the `kube-master` group;
  118. * `lb` - LB FQDN, `apiserver_loadbalancer_domain_name`;
  119. * `lc` - localhost;
  120. * `p` - insecure port, `kube_apiserver_insecure_port`
  121. * `sp` - secure port, `kube_apiserver_port`;
  122. * `lp` - LB port, `loadbalancer_apiserver.port`, defers to the secure port;
  123. * `ip` - the node IP, defers to the ansible IP;
  124. * `aip` - `access_ip`, defers to the ip.